Detecting a ransomware attack before the demand

The lifecycle of ransomware includes six phases:
the attack, embedding and persistence, scanning, encryption, and the ransom itself. Implementing 360° visibility into your network traffic increases your chances of catching ransomware early in the kill chain. Applying behavioral analytics to look for anomalies in your network allows you to detect, prevent, and mitigate the attack.
IronNet-Ransomware-Compass

Catch ransomware early with IronNet

Ransomware attack vectors, which network detection and response tools such as IronDefense can identify, typically include:
IronNet-Ransomware-Social Engineering Envelope
social engineering:
spear-phishing
IronNet-Ransomware-User
“legitimate” user credentials:
from services such as remote desktop protocols and remote file sharing
IronNet-Ransomware-Exploitation Arrow
exploitation:
for example via publicly known, but unpatched, software vulnerabilities 
IronNet-Ransomware-Command and Control Globe
command and control:
domain generation
IronNet-Ransomware-Encryption Cloud
encryption:
files are encrypted after backup files are removed

IronNet’s behavioral analytics are designed to detect these behavior indicators in advance of the ransom. Slide the image below to see how IronNet analytics detect ransomware behaviors before the ransom stage.

IronNet-Ransomware-Arrow Down
IronNet Ransomware Landing Page – With IronNet@2x IronNet Ransomware Landing Page – Without IronNet@2x
IronNet-Ransomware-Alert
In the above illustration, based on the TTPs observed in this example attack, IronNet’s behavioral analytics can detect several connections to primary backup repositories using compromised service accounts shortly before encryption. By spotting anomalies early in the ransomware lifecycle, during the intrusion vectors and network dwell time, behavioral analytics can sound alerts to halt this type of progression.

Ransomware media coverage and analysis

Ransomware technical resources

IronNet-Ransomware-Detecting Ransomware Thumbnail
Featured

Detecting ransomware: three research-based recommendations

IronNet Threat Research team analyzes North-South, East-West, and endpoint detection opportunities
IronNet-Ransomware-Navigating Maze Ransomware
Featured

Navigating Maze ransomware

Unravel the TTPs of this high-profile ransomware — and how IronNet’s behavioral analytics can detect it, by Sachin Deodhar

On-demand demo

Discover the power of IronDefense, the industry’s most advanced network detection and response (NDR) solution to detect behavior indicators using analytics. Walk through a use case to learn more about product features and the Collective Defense approach. Start your on-demand demo now.